Freeradius, PEAP, Active Directory and --require-membership-of
Vieri
rentorbuy at yahoo.com
Fri Oct 3 10:24:37 CEST 2008
--- On Thu, 10/2/08, Vieri <rentorbuy at yahoo.com> wrote:
> I'm running freeradius-2.0.5 on Linux.
>
> My setup is as follows:
>
> Windows Vista native client - Linksys AP - FreeRadius Linux
> server (PEAP/mschapv2) - Active Directory Windows server
>
> Everything works smoothly with the following ntlm_auth
> parameters in the mschap module:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> However, user authentication is rejected when I add the
> --domain parameter:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> (from the Windows Vista client I obviously set the DOMAIN
> filed; besides, if I run the freeradius daemon with debug
> enabled I see that it "correclty" reeives
> 'DOMAIN\username')
>
> For starters, I don't understand why authentication
> fails if I add --domain. How can I find out why?
>
> Then, adding --require-membership-of with or without
> --domain also fails.
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --domain=%{mschap:NT-D
> omain} --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --require-membership-of='DOMAIN\\WIFI'
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
>
> Finally, running ntlm_auth from the command line yields:
>
> # ntlm_auth --request-nt-key --domain=DOMAIN
> --username=myuser
> --require-membership-of='DOMAIN\\WIFI'
> password:
> NT_STATUS_OK: Success (0x0)
I found this in the radiusd debug log:
[2008/10/03 09:39:30, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve 'DOMAIN\WIFI' into a SID!
so I removed the '' in the ntlm_auth string like this:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=DOMAIN --require-membership-of=DOMAIN\\WIFI --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
and now it works.
So this leads me to ask how I can specify group names with spaces such as 'WIFI 1'.
Also, I had to specify the domain explicitly either via --domain=DOMAIN or --domain=%{mschap:NT-Domain:-DOMAIN}. In the latter case, authentication succeeds only if the client does NOT specify a domain in the domain or user field.
So I'm attaching some debug outputs with the hope that someone can shed some light on this aspect which I obviously don't grasp.
Thanks,
Vieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiusd.log.tar.gz
Type: application/x-gzip
Size: 21077 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081003/47981f73/attachment.bin>
More information about the Freeradius-Users
mailing list